Slide 1

Slide 1 text

What's Up Argon2? 
 The Password Hashing Winner A Year Later JP Aumasson, Kudelski Security

Slide 2

Slide 2 text

password-hashing.net

Slide 3

Slide 3 text

Nobody cared about password hashing research before PHC Now we’ve got Argon2, the best password hash ever Secure, simple, easy to use

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

How Argon2 works, super high-level 1. H := Hash(password, salt, all parameters) 2. Fill a 2-dimension array B of MemParameter 1024-byte blocks • Fill column by column, with sequential dependency • Blocks B[i][0] and B[i][1] depend on H • Other blocks B[i][j] depend on B[i][j–1] and on another block • "depend on X" = "are a BLAKE2-based hash of stuff including X" 3. Repeat 2 TimeParameter times, xoring new blocks to old ones 4. Return as a tag an xor of the last column’s blocks

Slide 6

Slide 6 text

• Argon2d: “another block” depends on the password • Argon2i: “another block” is independent of the password Side-channel info on “another block” can be used to crack passwords faster 㱺 use Argon2i if there are side channels But Argon2d gets you optimal resistance to TMTO

Slide 7

Slide 7 text

Specifically, on an i7-4500U (Haswell): • 0.1 second to Argon2d using 250MB with 1 core • 0.5 second to Argon2i using 1GB with 2 cores

Slide 8

Slide 8 text

Applications of Argon2 • Storing user passwords • Key derivation, from low-entropy data like passwords • Proofs of work (there’s already an altcoin)

Slide 9

Slide 9 text

Get it at https://github.com/P-H-C/phc-winner-argon2 • Reference C89 code, for Linux, *BSD, Windows • Builds static and shared libs, command-line utility • Public domain-like license (CC0) • Bindings for most common languages

Slide 10

Slide 10 text

Based on initial C++ code by the Argon2 designers Since then, as of Jul 25: • 463 commits, 91 pull requests, 58 issues • Major code cleanup and lots of bugs fixed • Continuous integration and best practices

Slide 11

Slide 11 text

Thanks to all contributors

Slide 12

Slide 12 text

The default password hash in libsodium https://download.libsodium.org, by @jedisct1

Slide 13

Slide 13 text

Props to @lucabruno

Slide 14

Slide 14 text

Why Argon2 and not scrypt? • Scrypt has no data-independent mode (like Argon2i) • Argon2 is easier to parametrize (just 2 knobs) • Argon2 algorithm is simpler • scrypt needs PKBDF2, HMAC, SHA-256, Salsa20 • Argon2 just needs BLAKE2-like rounds Argon2 also has a better security analysis …

Slide 15

Slide 15 text

Argon2’s security (1/4): cryptanalysis • Seriously? :-)

Slide 16

Slide 16 text

Argon2’s security (2/4): GPU/ASIC inefficiency • Argon2 optimized for modern x86 microarchitectures • Exploits local parallelism and multi-core/threading • More memory usage makes ASICs slower & costlier

Slide 17

Slide 17 text

Argon2’s security (3/4): side-channel resistance • We’re concerned with software side channels • Argon2i is time-constant, memory addresses-constant • Argon2d is not

Slide 18

Slide 18 text

Argon2’s security (4/4): time-space tradeoffs • How much does it cost to hash with less memory? • There should be no "shortcut" • 2 excellent papers published this year…

Slide 19

Slide 19 text

http://eprint.iacr.org/2016/027 (Jan 2016, 53 pages) Rigorous analysis of memory-hard hashing • Introduced the balloon hashing function • Showed how to Argon2i with 4 times less space • Motivated a tweak of Argon2i released March 2016

Slide 20

Slide 20 text

http://eprint.iacr.org/2016/115 (Feb 2016, 37 pages) Theoretical analysis of memory-hard hashing’s cost: • Introduces an energy measure, more realistic than AT • Presents asymptotic attacks on Argon2i and Balloon • No practical impact on Argon2, similar attacks known

Slide 21

Slide 21 text

Standardization efforts @ IRTF (CFRG)

Slide 22

Slide 22 text

Conclusions • We understand well Argon2’s strengths and limitations • Argon2 now has a mature reference implementation • You can use it with most popular languages For any support: http://password-hashing.net/#contact